Hi, i have a duration in seconds and want to convert it to days, hours and minutes. The additional seconds should be just cut off in the output. Ideally there should be no leading zeros (not "04 hours" but "4 hours") and if days, hours or minutes is 0 they should not be displayed in the output. Examples: Duration in seconds Output 14400 "4 hours" 14432 "4 hours" 604800 "7 days" 1800 "30 minutes" 108002 "1 day 6 hours"

Evenid monitoring--> Need to get all  the event Id details to splunk used below stanza is and is not getting data n Please help  [WinEventLog://Setup] checkpointInterval = 5 current_only = 0 disabled = 0 whitelist1 = 1,2,3,4 index = sag_windows_normal ignoreOlderThan = 7d sourcetype = WinEventLog:Setup [WinEventLog://Application] checkpointInterval = 5 current_only = 0 disabled = 0 whitelist = * index = sag_windows_normal ignoreOlderThan = 7d sourcetype = WinEventLog:Application [WinEventLog://System] checkpointInterval = 5 current_only = 0 disabled = 0 whitelist1 = * index = sag_windows_normal ignoreOlderThan = 7d sourcetype = WinEventLog:System

Running a Windows 2012 R2 DHCP Server with UF 9.0.1 and Splunk Enterprise 8.0.5. My inputs at the UF look like this:   [default] index = windowsdhcp _TCP_ROUTING = prod [WinEventLog://System] start_from = oldest disabled = 0 current_only = 0 whitelist1 = SourceName="DhcpServer" whitelist2 = SourceName="Dhcp-Server" [WinEventLog://DHCPAdminEvents] start_from = oldest disabled = 0   My issue is that the whitelisted events in the 1st stanza are not getting processed to the indexer. If I review the XML of the events in the Windows Event Viewer: These events are collected and indexed:   - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" /> <EventID>20251</EventID> <Version>0</Version> <Level>4</Level> <Task>121</Task> <Opcode>106</Opcode> <Keywords>0x2000000000000000</Keywords> <TimeCreated SystemTime="2022-10-29T12:25:40.655052000Z" /> <EventRecordID>161</EventRecordID> <Correlation /> <Execution ProcessID="3884" ThreadID="4472" /> <Channel>DhcpAdminEvents</Channel> <Computer>dhcp-srv-a.mydomain.com</Computer> <Security UserID="S-1-5-20" /> </System> - <EventData> <Data Name="Server">dhcp-srv-b.mydomain.com</Data> <Data Name="RelationName">dhcp-srv-b.mydomain.com-dhcp-srv-a.mydomain.com</Data> <Data Name="OldState">COMMUNICATION_INT</Data> <Data Name="NewState">NORMAL</Data> </EventData> </Event>   These events do not get captured (Note: event is in classic format):   Log Name: System Source: Microsoft-Windows-DHCP-Server Date: 14/11/2022 23:11:37 Event ID: 1376 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: dhcp-srv-a.mydomain.com Description: IP address range of scope 10.119.6.0 is 89 percent full with only 6 IP addresses available. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" /> <EventID Qualifiers="0">1376</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2022-11-14T23:11:37.000000000Z" /> <EventRecordID>87097</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>dhcp-srv-a.mydomain.com</Computer> <Security /> </System> <EventData> <Data>10.119.6.0</Data> <Data>89</Data> <Data>6</Data> </EventData> </Event>     I can't see why it is not collecting the second event via the 1st stanza?

Hello, For the past week I've been working in a way to run some queries for a report about vulnerability findings. I have made a lookup table for the vulnerability details and I call that to the main query to do the work. However, I'm currently having a bit of trouble trying to figure out the scheduled query to run in order to update the vulnerabilities details lookup table. Since Rapid 7 sometimes doesn't import well their vulnerability definitions to splunk (i.e: there are 270000 lines but for some reason, some day only 12000 gets imported into splunk) I wanted to make some validations before deciding to run  the outputlookup to update the table. To do this I had deviced this so far:     index=rapid7 sourcetype="rapid7:insightvm:vulnerability_definition" | dedup id | lookup soc_vulnerabilities.csv vulnerability_id OUTPUT vulnerability_id title description | stats count as today | append [| inputlookup soc_vulnerabilities.csv | stats count as yesterday] | eval prov=yesterday | eval conditional=if(today>=yesterday,1,0) | table conditional, today, yesterday, prov     As you can see, all I'm doing is validating if the amount of lines being imported to splunk are the same or greater than the current amount of lines stored in the lookup table. Thing is, the eval with the conditional isnt working because both total values are being shown as if they were unrelated, which they kind of are. The result table is as follows: conditional today yesterday prov 0 238732     0   238732 238732 What I want is to compare both today and yesterday values in order to determine if the lookup table should or should not be updated. I've been looking at the documentation for a way to make it work and also checked some other posts here in the forums but I haven't found a similar case. I hope it's not because it is impossible, nevertheless, I'd appreciate if you guys could help me to figure this out or should I try to solve this problem from other perspective. Additional info: For those who have worked with this logs before, vulnerability_id field in that sourcetype doesn't exists, so we created it via CLI in the normalization options thing. Thanks in advance.

I have a line chart panel in my dashboard that's comparing two series of datapoints, and I have "charting.legend.mode" set to "seriesCompare" to see the values next to the appropriate series name in the legend. Trouble is, the font color used for those values is very light and difficult to see.  Can an adjustment be made to change the font color of those compare values? I've circled the value in the screen capture below:    

Hi, I have an xml response in the below format. I'm trying to read the BusinessId value of this. Since there are multiple, I want to read only the first one and use it as part of my report. This is how my query looks: index=customer app_name="searchservice" | rex field=msg "BusinessId>(?P<BusinessId>[0-9]*)<\/" | table Client, MethodName, BusinessId,CorrelationId Fields Client, MethodName and CorrelationId have already been parsed out. The issue I'm seeing is that if the response xml has multiple entries of BusinessId, it doesn't show up in the result as shown in the first two correlation ids. For the next two, the xml had only one instance BusinessId, so it showed up in the response. How do I fix the regex to parse only the first instance and ignore the rest? Thanks, Arun